HTTPS MITM in Kazakhstan starting 2024-02-07

tango · March 6, 2024, 2:15am

There’s a bug in Mozilla Bugzilla that says there’s a new HTTPS MITM in Kazakhstan since 2024-02-07. (At least, that’s when the bug was opened.)

Bug 1879046: Add New Kazakhstan Root Certificate to OneCRL

Another MITM attempt by the KZ government.
When I visit https://m.reactor.cc, the real certificate is replaced with the one that I attached.

Many people install mandatory certificate to be able to access some government websites.
I’m not sure if the browser will let you in if you have those mandatory certificates installed.

The following certificate information will be of use in adding this root certificate to OneCRL:

“issuerName”: “MFMxNTAzBgNVBAMTLEluZm9ybWF0aW9uIFNlY3VyaXR5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MQ0wCwYDVQQKEwRJU0NBMQswCQYDVQQGEwJLWg==”,

“serialNumber”: “MgQS30wvsQLzmAyqdrphCuYshJI=”,

“pubKeyHash”: “iSjFk5iw8XHA+W/a5quN0PSO4G0XTaEMQErAAUPHp0k=”,

Serial Number 320412DF4C2FB102F3980CAA76BA610AE62C8492
Subject C=KZ, O=ISCA, CN=Information Security Certification Authority
Issuer C=KZ, O=ISCA, CN=Information Security Certification Authority
Not Before 2020-02-28T06:16:40Z
Not After 2050-02-28T06:16:40Z

SHA1 Hash 1375EBDCF56359AAE0423E861AC8FC6231511CE6
SHA256 Hash 89107C8E50E029B7B5F4FF0CCD2956BCC9D0C8BA2BFB6A58374ED63A6B034A30
SPKI SHA256 8928C59398B0F171C0F96FDAE6AB8DD0F48EE06D174DA10C404AC00143C7A749
Subject SPKI SHA256 6B0F6067F2FE25B0BAC6679266AE73749DC7D1044C84809398F9E37AF3F4F311
HPKP PIN-SHA256 iSjFk5iw8XHA+W/a5quN0PSO4G0XTaEMQErAAUPHp0k=
Certificate Extensions
AuthorityKeyID sgQS30wvsQLzmAyqdrphCuYshJI=
SubjectKeyId sgQS30wvsQLzmAyqdrphCuYshJI=

I found this one through a meta-tracking bug for Kazakhstan MITM:

Bug 1883772: [meta] tracking blocking Kazakhstan MITM roots

Bug	Date	Previous discussion
1229827	2015-12-02
1567114	2019-07-18	Mentioned in Paper summary: Investigating Large Scale HTTPS Interception in Kazakhstan (IMC 2020)
1680927	2020-12-05	Mentioned in Paper summary: Investigating Large Scale HTTPS Interception in Kazakhstan (IMC 2020)
1879046	2024-02-07	This thread

ValdikSS · March 6, 2024, 2:27pm

At first I thought that could be just a “page blocked” redirection host which mimic the domain, but no, this is a “legitimate” certificate issued for m.joyreactor.cc by KZ intermediate certificate.

$ openssl verify -attime 1706797413 -CAfile kzall.crt -show_chain -verbose m-joyreactor-cc\(1\).pem 
m-joyreactor-cc(1).pem: OK
Chain:
depth=0: CN = m.joyreactor.cc (untrusted)
depth=1: C = KZ, O = ISCA, CN = Intermediate
depth=2: CN = Information Security Certification Authority, O = ISCA, C = KZ